Bill Text: IA SF2321 | 2023-2024 | 90th General Assembly | Introduced
Bill Title: A bill for an act relating to consumer data protection, and including effective date provisions.(Formerly SF 2272.)
Spectrum: Committee Bill
Status: (Introduced - Dead) 2024-02-14 - Committee report, approving bill. S.J. 296. [SF2321 Detail]
Download: Iowa-2023-SF2321-Introduced.html
Senate
File
2321
-
Introduced
SENATE
FILE
2321
BY
COMMITTEE
ON
TECHNOLOGY
(SUCCESSOR
TO
SF
2272)
A
BILL
FOR
An
Act
relating
to
consumer
data
protection,
and
including
1
effective
date
provisions.
2
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
3
TLSB
5571SV
(1)
90
nls/ko
S.F.
2321
Section
1.
Section
715D.1,
subsection
5,
as
enacted
by
1
2023
Iowa
Acts,
chapter
17,
section
1,
is
amended
to
read
as
2
follows:
3
5.
“Child”
means
any
natural
person
younger
than
thirteen
4
eighteen
years
of
age.
5
Sec.
2.
Section
715D.1,
as
enacted
by
2023
Iowa
Acts,
6
chapter
17,
section
1,
is
amended
by
adding
the
following
new
7
subsections:
8
NEW
SUBSECTION
.
9A.
“Decision
that
produces
legal
or
9
similarly
significant
effects
concerning
a
consumer”
means
a
10
decision
made
by
a
controller
that
affects
the
ability
of
a
11
person
to
access
any
of
the
following:
12
a.
Financial
and
lending
services.
13
b.
Housing.
14
c.
Insurance.
15
d.
Education.
16
e.
Criminal
justice
services.
17
f.
Employment
opportunities.
18
g.
Health
care
services.
19
h.
Basic
necessities,
such
as
food
and
water.
20
NEW
SUBSECTION
.
12A.
“Health
data”
means
data
that
21
pertains
to
the
health
status
of
an
individual
that
discloses
22
information
related
to
the
past,
current,
or
future
physical
or
23
mental
health
status
of
the
individual.
24
NEW
SUBSECTION
.
21A.
“Profiling”
means
any
form
of
25
automated
processing
performed
on
personal
data
to
evaluate,
26
analyze,
or
predict
specific
factors
related
to
the
economic
27
status,
health,
personal
preferences,
interests,
reliability,
28
behavior,
location,
or
movements
of
an
identified
or
29
identifiable
individual.
30
Sec.
3.
Section
715D.1,
subsection
14,
as
enacted
by
31
2023
Iowa
Acts,
chapter
17,
section
1,
is
amended
to
read
as
32
follows:
33
14.
“Health
record”
means
any
written,
printed,
or
34
electronically
recorded
material
maintained
by
a
health
care
35
-1-
LSB
5571SV
(1)
90
nls/ko
1/
4
S.F.
2321
provider
in
the
course
of
providing
health
services
to
an
1
individual
concerning
the
individual
and
the
services
provided,
2
including
related
health
information
and
associated
nonhealth
3
information,
provided
in
confidence
to
a
health
care
provider.
4
Sec.
4.
Section
715D.1,
subsection
26,
as
enacted
by
2023
5
Iowa
Acts,
chapter
17,
section
1,
is
amended
by
adding
the
6
following
new
paragraph:
7
NEW
PARAGRAPH
.
e.
Health
data.
8
Sec.
5.
Section
715D.2,
subsection
2,
as
enacted
by
2023
9
Iowa
Acts,
chapter
17,
section
2,
is
amended
to
read
as
10
follows:
11
2.
This
Except
as
it
relates
to
health
data,
this
chapter
12
shall
not
apply
to
the
state
or
any
political
subdivision
of
13
the
state;
financial
institutions,
affiliates
of
financial
14
institutions,
or
data
subject
to
Tit.
V
of
the
federal
15
Gramm-Leach-Bliley
Act
of
1999,
l5
U.S.C.
§6801
et
seq.;
16
persons
who
are
subject
to
and
comply
with
regulations
17
promulgated
pursuant
to
Tit.
II,
subtit.
F,
of
the
federal
18
Health
Insurance
Portability
and
Accountability
Act
of
1996,
19
Pub.
L.
No.
104-191,
and
Tit.
XIII,
subtit.
D,
of
the
federal
20
Health
Information
Technology
for
Economic
and
Clinical
Health
21
Act
of
2009,
42
U.S.C.
§17921
-
17954;
nonprofit
organizations;
22
or
institutions
of
higher
education.
23
Sec.
6.
Section
715D.2,
subsection
3,
as
enacted
by
2023
24
Iowa
Acts,
chapter
17,
section
2,
is
amended
by
adding
the
25
following
new
paragraph:
26
NEW
PARAGRAPH
.
0b.
Information
or
data
maintained
by
a
27
public
health
authority,
as
defined
by
HIPAA,
provided
the
28
public
health
authority
has
received
the
consumer’s
consent
29
unless
otherwise
required
by
HIPAA.
30
Sec.
7.
Section
715D.2,
subsection
3,
paragraph
l,
as
31
enacted
by
2023
Iowa
Acts,
chapter
17,
section
2,
is
amended
32
to
read
as
follows:
33
l.
Information
used
only
for
public
health
activities
and
34
purposes
Purposes
as
authorized
by
HIPAA
.
,
provided
that
the
35
-2-
LSB
5571SV
(1)
90
nls/ko
2/
4
S.F.
2321
information
is
all
of
the
following:
1
(1)
De-identified.
2
(2)
Aggregated.
3
(3)
Processed
in
batches
of
no
less
than
one
hundred
4
consumers.
5
Sec.
8.
Section
715D.3,
subsection
1,
paragraph
d,
as
6
enacted
by
2023
Iowa
Acts,
chapter
17,
section
3,
is
amended
7
by
striking
the
paragraph
and
inserting
in
lieu
thereof
the
8
following:
9
d.
To
be
notified
of,
or
to
opt
out
of,
profiling
in
10
furtherance
of
a
decision
that
produces
legal
or
similarly
11
significant
effects
concerning
a
consumer.
Notification
to
12
the
consumer
pursuant
to
this
paragraph
shall
be
in
plain
13
language
and
include
the
type
of
data
subject
to
profiling,
14
any
requirements
for
a
person
receiving
the
consumer’s
data
to
15
delete
or
return
the
data,
and
the
process
for
a
consumer
to
16
file
a
complaint.
17
Sec.
9.
EFFECTIVE
DATE.
This
Act
takes
effect
January
1,
18
2025.
19
EXPLANATION
20
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
21
the
explanation’s
substance
by
the
members
of
the
general
assembly.
22
This
bill
relates
to
consumer
data
protection
and
amends
23
2023
Iowa
Acts,
chapter
17.
24
Under
Code
section
715D.1,
as
enacted
by
2023
Iowa
Acts,
25
chapter
17,
section
1,
“child”
is
defined
as
any
natural
person
26
younger
than
13
years
of
age.
Under
the
bill,
“child”
is
27
defined
as
any
natural
person
younger
than
18
years
of
age.
28
The
bill
expands
the
definition
of
“health
record”
to
29
include,
in
addition
to
any
record
containing
related
health
30
information,
any
record
containing
nonhealth
information
that
31
is
related
to
health
information
provided
in
confidence
to
a
32
health
care
provider.
33
The
bill
expands
the
definition
of
“sensitive
data”
to
34
include
health
data.
“Health
data”
is
defined
in
the
bill.
35
-3-
LSB
5571SV
(1)
90
nls/ko
3/
4
S.F.
2321
Under
the
bill,
except
as
it
relates
to
health
data,
the
1
Code
chapter
shall
not
apply
to
the
state
or
any
political
2
subdivision
of
the
state;
financial
institutions,
affiliates
3
of
financial
institutions,
or
data
subject
to
Tit.
V
of
the
4
federal
Gramm-Leach-Bliley
Act
of
1999,
15
U.S.C.
§6801
et
5
seq.;
persons
who
are
subject
to
and
comply
with
regulations
6
promulgated
pursuant
to
Tit.
II,
subtit.
F,
of
the
federal
7
Health
Insurance
Portability
and
Accountability
Act
of
1996,
8
Pub.
L.
No.
104-191,
and
Tit.
XIII,
subtit.
D,
of
the
federal
9
Health
Information
Technology
for
Economic
and
Clinical
Health
10
Act
of
2009,
42
U.S.C.
§17921
–
17954;
nonprofit
organizations;
11
or
institutions
of
higher
education.
12
The
bill
exempts
information
or
data
maintained
by
a
13
public
health
authority,
as
defined
by
HIPAA,
from
the
Code
14
chapter
provided
the
public
health
authority
has
received
the
15
consumer’s
authorization,
unless
otherwise
required
by
HIPAA.
16
The
bill
exempts
information
used
only
for
public
health
17
activities
and
purposes
as
authorized
by
HIPAA,
provided
that
18
the
information
is
de-identified,
aggregated,
and
processed
in
19
batches
of
no
less
than
100
consumers
from
the
Code
chapter.
20
Under
the
bill,
a
consumer
shall
have
the
right
to
request
21
to
be
notified
of,
or
to
opt
out
of,
profiling
in
furtherance
22
of
a
decision
that
produces
legal
or
similarly
significant
23
effects
concerning
a
consumer.
The
bill
defines
“profiling”
24
as
any
form
of
automated
processing
performed
on
personal
data
25
to
evaluate,
analyze,
or
predict
specific
factors
related
to
26
the
economic
status,
health,
personal
preferences,
interests,
27
reliability,
behavior,
location,
or
movements
of
an
individual.
28
Notification
to
the
consumer
shall
be
in
plain
language
and
29
include
the
type
of
data
subject
to
profiling,
any
requirements
30
for
a
person
receiving
the
consumer’s
data
to
delete
or
return
31
the
data,
and
the
process
for
a
consumer
to
file
a
complaint.
32
“Decision
that
produces
legal
or
similarly
significant
effects
33
concerning
a
consumer”
is
defined
in
the
bill.
34
The
bill
takes
effect
January
1,
2025.
35
-4-
LSB
5571SV
(1)
90
nls/ko
4/
4